IT0004-HSC-A Risk Management

Responsible Office: Office of Cybersecurity

Last Review: 03/01/2025

Next Review: 03/01/2027

Contact: Chris Madeksho

Phone: 901.448.1579

Email: mmadeksh@uthsc.edu

Purpose

To establish a process to manage risks to the University that result from threats to the confidentiality, integrity, and availability of the University of Tennessee Health Science Center’s (UTHSC) data and information systems.

Scope

This Standard applies to all UTHSC data and systems, regardless of technology, that transmit, store, utilize, or manipulate said data. This standard applies to all UTHSC employees, students, and third-party agents/vendors authorized to access UTHSC data. 

Definitions

Data owner – The person who is ultimately responsible for the data and information being collected and maintained by his or her department or division

Risk – The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring

Risk Assessment – The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system

System owner – Person or organization having responsibility for the development, procurement, integration, modification, operation, and maintenance, and/or final disposition of an information system

System Security Plan (SSP) – a formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements

Vulnerability – Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source

Responsibilities

Chief Information Security Officer (CISO) is responsible for providing guidance and direction in assessment, planning, and implementation of all security standards, practices, and commitments required. This individual is responsible for adherence to this standard.

Security Analyst is responsible for providing security guidance for the protection of PII, ePHI, and other sensitive information to the UTHSC community. This role and the CISO are responsible for this policy’s adherence.

System/Data Owner is responsible for performing the various steps related to identifying potential risks and threats and is required to ensure that the identification of risks is properly categorized and documented in terms of their potential threat to their college, department, or area. The system and data owner(s) are then responsible to develop the risk mitigation plan and work towards complete mitigation of identified risks. All information regarding risks to the business systems will be the responsibility of the System Data Owner, or appointed delegate, to document, track, and respond whenever appropriate.

Standard

  1. All Information Systems must be assessed for risk that results from threats to the integrity, availability, and confidentiality of UTHSC data. Assessments should be completed using the guidelines in IT0004-HSC-A.01-Risk Assessment Process prior to purchase of, or significant changes to, an Information System; and at least annually for systems that store, process, or transmit data with a level 2 categorization per IT0005-HSC-A-Data & System Categorization.
  2. Risks identified by a risk assessment must be mitigated or accepted prior to the system being placed into operation.
  3. Residual risks may only be accepted on behalf of the university by a person with the appropriate level of authority as determined by the Chief Information Security Officer. Approval authority may be delegated if documented in writing, but ultimate responsibility for risk acceptance cannot be delegated.
  4. Each Information System must have a system security plan, prepared using input from risk, security, and vulnerability assessments.
  5. Exceptions to this Standard should be requested using the process outlined in IT0003-HSC-A.02-Security Exceptions and Exemptions to ITS Standards Practices & Controls.

Policy History

Version #

Effective Date

1

09/23/2020

2

10/13/2021

3

05/17/2022

4

01/11/2023

5

03/01/2025 – new naming convention

References

  1. IT0004-Information Technology Risk Management
  2. IT0004-HSC-A.01-Risk Assessment Process
  3. IT0005-HSC-A-Data & System Categorization
  4. IT0003-HSC-A.02-Security Exceptions and Exemptions to ITS Standards Practices & Controls

IT0004-HSC-A Risk Management
Version: 5 // Effective: 01/11/2023
PDF icon Downloadable PDF